amoro icon indicating copy to clipboard operation
amoro copied to clipboard
verified publisher icon apache

[AMORO-2692] Support proxy user in terminal

Open link3280 opened this issue 1 year ago • 5 comments

Why are the changes needed?

Close #2692.

Brief change log

  • Add proxy user parameter to the REST API.
  • Support impersonation in spark terminal.

How was this patch tested?

  • [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • [ ] Add screenshots for manual tests if appropriate

  • [ ] Run test locally before making a pull request

Documentation

  • Does this pull request introduce a new feature? (yes / no)
  • If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

link3280 avatar Mar 31 '24 05:03 link3280

I‘m looking forwared to this PR! But I have some questions It seems ams-server did not include authorization and authentication, How can we use this function on ams terminal? Do we consider support proxy on spark engine?

xieyi888 avatar Apr 01 '24 09:04 xieyi888

@xieyi888 Thanks for your input!

It seems ams-server did not include authorization and authentication, How can we use this function on ams terminal?

Do you mean the kerberos authentication? Ideally, the terminal would use the UGI in TableMetaStore.RuntimeContext, but in fact the UGI cannot cover the usages like Iceberg async tasks. This PR mainly makes the spark user right. For example, the table created would have the proxy user as its owner.

WRT authorization, I think that's the catalog's job and not relevant to the amoro terminal.

Do we consider support proxy on spark engine?

I think it's doable via Kyuubi. But I haven't got the chance to verify it yet.

link3280 avatar Apr 01 '24 11:04 link3280

@link3280 From your PR, it seems that you are calling terminal by REST API? so that you can pass the proxyUser from http parameters. But this is not working for user executing SQL via WebBrowser.

baiyangtx avatar Apr 07 '24 09:04 baiyangtx

@link3280 From your PR, it seems that you are calling terminal by REST API? so that you can pass the proxyUser from http parameters. But this is not working for user executing SQL via WebBrowser.

That's right. This PR doesn't involve web UI changes.

link3280 avatar Apr 08 '24 07:04 link3280

I think it's doable via Kyuubi. But I haven't got the chance to verify it yet.

Hi @link3280, Can you explain more details how to execute SQL statements with configured user?

xxubai avatar May 10 '24 13:05 xxubai